> >Description: > On a same filestem, /tmp or /var in www pages perhaps or perhaps even > / if they get that deep, > the risk exists that a user can archive a file away even though they > don't have permissions > to that file. It allows at least a "backup" of non-user owned files, > to be put away for > later examination. Whether this is intended or not to be this way I > don't know. It's all > ghoti to me.
Yes, this is intended. A directory entry points to an inode, and the inode points to the file contents, which will only be shown to you if you pass the validation (ie, ownership checks) of the inode. The fact that you can write an extra dir-entry in a writable directory is not a huge security risk, since you are not able to change ownership of "your" hard link, so if you could not read it before, then you can't read it after the "original" is removed either, or just "later". There are several things you can do to "protect" yourself or your system. One is to keep secret files in dirs where others do not have permission to read, the second is to just go with the defaults on OpenBSD installs and let the installer make a lot of different file systems so that the system files are not colocated with user writable dirs, as opposed to say, making only a single large / filesystem. That said, some other unices set this as an optional with sysctls to prevent anyone from hardlinking to a file which you lack permissions to read/write anyhow. OpenBSD does not have this as of now. I think it defaults to off on Linux since it broke stuff, so it's not generally considered "unintended" there either. -- May the most significant bit of your life be positive.
